Solved: Re: peak day count for the day of the month and av...

francly · ‎08-29-2021

Hi, I get the exactly same count for avg and peak, any issue with my query?

index=a sourcetype=ab earliest=-30d latest=now
 | bucket _time span=1mon
 | stats count by _time
 | eval date_month=strftime(_time, "%b")
 | eval date_day=strftime(_time, "%a")
 | stats avg(count) as AverageCountPerDay max(count) AS Peak_Per_Month by date_month, date_day

date_month date_day AverageCountPerDay Peak_Per_Month

Aug	Sun	82037650	82037650
Jul	Thu	4621995	4621995

ITWhisperer · ‎08-30-2021

| bin _time span=1d

View solution in original post

ITWhisperer · ‎08-29-2021

Bucket is setting each _time to the beginning of the month, stats is counting for that day so you are only getting one count for each month, so average and max are the same

francly · ‎08-30-2021

What is the query I should use?

ITWhisperer · ‎08-30-2021

| bin _time span=1d

peak day count for the day of the month and avg for the month

stats

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup